Define what happens when the Document loses focus

[jcjones]

(Related to #292)

If an operation such as makeCredential or getAssertion is in progress, and the UA changes focus (e.g., the user switches tabs), what should happen?

I believe it is the case that at least some U2F implementations cancel all operations in-flight and return errors, to avoid potential phishing or denial of service attacks. If that's correct, we should define that behavior for WebAuthn as well.

[equalsJeffH]

You mean U2F client implementations in browsers I presume.

Is this sort of impl considerations written down anywhere (eg mailing list archives, release notes, api documentation, etc) or is only ensconced in code?

[AngeloKai]

I don't see any use cases of any WebAuthn operation when the UA changed the focus, especially considering that the API is not under worker. Let's try to get this in spec soon so that we avoid attacks.

[jyasskin]

https://w3c.github.io/web-nfc/#handling-window-visibility-and-focus has an attempt to handle focus changes for the NFC API. I think some of the details there have problems, but it points to useful hooks in HTML and Page Visibility.

[selfissued]

If we are going to specify behaviors for this case, we should do so for the Implementer's Draft, since they will affect interop. Or we can decide to leave this unspecified and explicitly document it as such.